If you find a security problem, please do not open a public issue for it.
Use GitHub Security Advisories and include:
- affected component or route
- reproduction steps
- impact assessment
- any suggested mitigation
- acknowledge receipt promptly
- validate the report
- prepare a fix and release plan
- disclose publicly after a fix is available when appropriate
I would rather get a quiet report early than have someone try to be polite and wait.